U.S. Organizations Targeted by FormBook Malware Attacks

The majority of Formbook malware cyber attacks have focused on specific industry sectors in the United States and South Korea, but there is some worry that the malware will be employed in more attacks worldwide. So far, the Aerospace industry, defense contractors and the manufacturing sector have been mainly targeted; however, attacks have not been restrcited to these sectors. The financial services, energy and utility companies, services/consulting firms and educational institutions have also been targeted.

FireEye identified many ‘significant campaigns’ in the United States and South Korea and reports that cyber attacks are chiefly happening through spam email. The emails being broadcast are generic, rather than spear phishing emails at specific targets, although the cyber attacks are concentrated on specific industry sectors.

The malicious attachments implemented to download and install FormBook malware are not the same in the United States and South Korea. In the United States, the attackers are mainly using PDF files, Word documents and XLS spreadsheets. The Office documents include malicious macros, which download the malware when run by end users. The PDF files have an embedded link that, if clicked, will install the malicious payload. The emails found by FireEye spoof DHL and FedEx and claim to have details of shipments. In South Korea, a campaign has been found using .ACE, .ISO, .RAR, and .ZIP files, with the executable sent with the email.

FormBook malware has persistence and can complete a wide variety of functions. It is a keylogger, can obtain data from the clipboard, steal cookies and passwords, can initiate and stop processes, force a reboot, extract data from HTTP sessions, take screenshots, and download other files. One campaign has been implemented to download the Nanocore Trojan onto infected devices.

While the primary objective of FormBook malware seems to be espionage, it can be utilized in all manner of attacks and nefarious purposes. The malware is being used by many people and is being rented via underground marketplaces as malware-as-a-service; complete with a simple to use web interface for compiling executables.

Further, the cost of hiring the malware is relatively minimal – $29 per month or $299 for a full package professional option. The developers believe the malware is advanced Internet activity logging software and allows end users a “powerful Internet monitoring experience”.

Due to the low costs, ease of implementation, and the wide range of functions, this malware variant is predicted to become a major danger to all companies.